How can GRC (Governance, Risk and Compliance management) improve the Performance of an Organisation? DPEXNetwork

How can GRC (Governance, Risk and Compliance management) improve the Performance of an Organisation?

10 Jun, 2021

What is required of organisations today?

The organisation today faces many different risks and requirements which are ever-changing and are quick to impact the organisation. To address these growing complexities, organisations, regardless of size (from SMEs to MNCs) have adopted a vision of Principled Performance. This is an approach to business that enables organisations to reliably achieve objectives while addressing uncertainty with integrity.

At every level, the organisation needs to set objectives and strategies that should

  1. be based on a comprehensive understanding of performance, risk, and related compliance issues.
  2. be executed effectively,
  3. monitor performance and adjust if necessary.
  4. monitor its compliance with regulatory and other requirements and even stay on top of changes in these requirements.
  5. manage the requirements on third parties they employ.

In all of these cases, there often is a lack of ongoing, meaningful oversight from the governing body and this affects business/consumer confidence.

Principled Performance and its Goal

In achieving its objectives, the organisation needs to address these requirements and challenges. It should consider both threats and opportunities, meeting the assurance required in mandatory commitments. Focusing on Principled Performance at every level of the organisation establishes a common goal and culture that supports success. It involves all functional units, each with its own team, processes, technologies, and information. All these must work together for the optimisation of the organisation. 

Why Principled Performance?

Principled Performance is a means to success, which can only be achieved by

  • setting common goals,
  • aligning information and core functions,
  • supporting them with strong communication,
  • effective technology, aligned with
  • development of the desired organisational culture.

These are linked and operated through fully integrated governance, risk management, and compliance capabilities.

Principled Performance and GRC

GRC refers to Governance, Risk and Compliance management of critical capabilities that must work together to achieve Principled Performance.

What it is NOT – It is not creating a mega-department of GRC and doing away with decentralized or programmatic approaches to risk and compliance management. Nor does it necessarily call for the use of only one GRC technology system.

What it IS – It is about establishing an approach that ensures the right people get the appropriate and correct information at the right times, that the right objectives are established, and that the right actions and controls necessary to address uncertainty and act with integrity are put in place.

When business activities operate in a silo, with their own information kept separate, it is highly likely that wrong or counter-productive objectives will be established. Moreover, sub-optimal strategies will be selected, and performance will not be optimised.

What makes up a GRC framework?

An organisation that strives to achieve Principled Performance will have a number of integrated capabilities and be able to track, communicate and manage them as one entity.  In short, a GRC capability model should have the following key components:

  • L – LEARN Analyse and learn the external, internal and cultural contexts, including learning from stakeholders.
  • A – ALIGN — Align performance, risk and compliance objectives, strategies, decision-making criteria, actions and controls with the context, culture and stakeholder requirements.
  • P – PERFORM — Address threats, opportunities, and requirements by encouraging desired conduct and events, and preventing what is undesired, through the application of proactive, detective, and responsive actions and controls.
  • R – REVIEW — Conduct activities to monitor and improve the design and operating effectiveness of all actions and controls, including their continued alignment to objectives and strategies.

An organisation that is able to and will constantly learn, align, monitor its performance and review is definitely on course to improve its performance.

GRC and Data Protection Management Programmes

Most organisations in the digital economy cannot function without personal data; which makes data a major risk area that the organisation has to govern and manage. In fact, many jurisdictions require a dedicated DPO. Through the data protection framework prescribed for 

  • Assess,
  • Protect,
  • Sustain and
  • Respond

to data risks/breaches, it is apparent that the DPMP framework is an operational manifestation of Learn, Align, Perform and Review process of the GRC within the data protection field. For this reason, the management of risks in the GRC and DP are closely linked and in many organisations, the Data Protection function resides in the GRC (Compliance) department.

Where do I begin?

Watch our evergreen webinar to understand and join the discussion outlining what constitutes an effective Governance, Risk Management and Compliance (GRC) framework to reduce the risks associated with business operations and compliance.

Upskill your knowledge through courses on GRC. Source for a training programme that enables participants to have hands-on skill and tools that enables the organisation to have a “risk convergence” platform.

"Our staff found the real-life cases beneficial to help them see more reality in the GRC principles. The activities created by Straits Interactive were especially effective to help us uncover gaps which we never knew existed. That enabled us to plan for controls to arrest our current and potential risks. 

Overall, I fully endorse Straits Interactive's course proposal application to SSG to conduct GRC Professional Training (GRCP) as it would elevate the expertise of more professionals in the areas of Governance, Risk and Compliance which are very critical in all operating environment."

- Senior Executive, Business Consultancy company

Join the DPEX Network community and be active in the exchange of ideas, best practices and network with fellow GRC professionals.



Article by: Leong Wai Chong, GRCP, CIPM

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.


Become a DPEX Community member to access
data protection resouces and discussions on pertinent topics now.

Access online / in-person courses and view past training records

Join lively discussions on pertinent data protection topics

Gain access to data protection research and video resources

Receive value-added data protection updates from the region


  Related Articles
What is the DPTM?

The Info-comm Media Development Authority of Singapore (IMDA) launched the Data…


How Social Media Makes Or Breaks A Company In Cri…

Every day we are confronted with information on companies that allegedly did th…


What are the areas that an organisation should ta…

It cannot be reiterated enough: personal information is property that belongs t…